Egovernment John Stienen

Achieving mutual recognition and interoperability of eID for eGovernment services in the EUJohn Stienen

OutlineThe policy context

ICT Policy Support Programme Pilots

IDABC study on eSignatures

IDABC study on eID

The policy contextManchester Ministerial Declaration Electronic Identity ManagementeIDM: By 2010: Secure means of electronic identification recognised across the EUeDoc: By 2010: Framework for the use of authenticated electronic documents across the EU

Single Market Review Action Plan

i2010 eGovernment Action Plan

Manchester Ministerial Declaration, 24 November 2005No citizen left behind inclusion by designBy 2010 all citizens become major beneficiariesBy 2010 innovative ICT, trust, awareness, skills for inclusionICT for efficient and effective governmentBy 2010 high user satisfactionBy 2010 adm. burden reduction, efficiency, transparency, accountabilityDelivering high impact servicesBy 2010 100% e-procurement available, 50% take-upBy 2010 deliver other high impact services for growth and jobsTrusted access by means of eIDM across the EUBy 2010 interoperable eIDM for public services across the EUBy 2010 electronic document recognition framework

i2010 eGovernment Action Plan : interoperable eIDM as key enabler2006: Roadmap setting measurable objectives and milestones for a European eIDM framework by 2010 based on interoperability and mutual recognition of national eIDM (adopted on 25 April 2006).2007: Agree common specifications for interoperable eIDM in the EU.2008: Large scale pilots of interoperable eIDMs in cross-border services and implementing commonly agreed specifications.2009: eSignatures in eGovernment: Undertake review of take-up in public services.2010: Review the uptake by the Member States of the European eIDM framework for interoperable eIDMs.

Single Market Review COM(2007) 724 finalICT is essential for the good functioning of the "e-Internal Market", creating interoperable services such as e-invoicing, e-procurement and e-customs. With the rapid development of these technologies, there is the risk that Member States opt for different or incompatible solutions, and that new "e-barriers" would emerge for the end users. The Member States and the Commission, working together, need to redouble their efforts to avoid market fragmentation and promote commonly agreed ICT solutions.Building on on-going work in the field of e-government, the Commission will present in 2008 a specific Action Plan to further promote the implementation of mutually recognised and interoperable electronic signatures and e-authentication (electronic identity) between the Member States, thereby facilitating the provision of cross-border public services.

A road map for a pan-European eIDM framework by 2010

Establish Common Specifications

Create & involve Stakeholder Platform

Acceptance of a conceptual model

Consider baseline activities, examples, synergies

Prepare large scale pilot

Lisbon 2007

Base line study

Legal study

multi-level authentication study

European standardisation

Large scale Pilot

eGovemment 2009

Awarereness campaigns towards citizen

Consultantion data protection / data ownership models and principles

Benchmark progress

Study on mandate/autorisation/role mgt model

Study on take-up of eSignatures in eGovernment

Consultation on evaluation & implementation of private sector uptake

Study on eIDM as quality mark for eAuth

Continious assessment of compliance with data protection principles

Continious assessment of security concerns

Performance of Large Scale Pilot model validation and updating

2010 recommendations

Monitor progress

Roadmap & Common Terminology

Pilot Launched

Common Specs

Pilot Results

2010 Results




IDABC study on eID

eGovernment ObjectivesICTPSP Call 2007 OverviewPilots Type APilots Type BThematic NetworksEnabling EU-wide public eProcurement

Towards pan-European recognition of e-IDsMutual recognition & interoperability of electronic documents

Accessible & inclusive eGovernment services

Combined delivery of social servicesPromoting local and regional eParticipation

Stimulating measurement of impact and user satisfaction

Brokering pan-European eGovernment solutions and services onlineBudget allocation: 24 M

ICTPSP Pilots type APilots areas defined by Member States in the context of agreed political declarations (e.g Manchester declaration) eGovernment call 2007 two (2) Large Scale Pilots focused on Interoperability, with direct involvement and leadership of Member States:EU-wide public eProcurementPan-European recognition of eIDs Implementation of an integrated EU-wide electronic public procurement solution Implementation of an EU wide interoperable system for recognition of eID and authentication enabling companies, in particular SMEs, from one state to respond to public procurements in any other state.enabling businesses, citizens to use their national electronic identities in any Member State




IDABC study on eID

IDABC Programme

IDABC ProgrammeKey elements of IDABC Work Programme :Projects of Common Interest (PCI): support (budget and guidance) within the Commission services to sectoral projects that have legal base from an existing Community legislation (e.g. PLOTEUS, IMI, LISFLOOD, SANREF, TRACES)Horizontal Measures (HM): designed to support sectoral projects and eGovernment services generally by providing basic infrastructure (network, CIRCABC, PKI), security measures (eID, eSignatures), interoperability measures (European Interoperability Framework, XML Clearing house), spread of good practise (OSS repository, eGov observatory)

IDABC Preliminary study on mutual recognition of eSignaturesAnalyses the requirements in terms of interoperability of electronic signatures for different eGovernment applications, and to provide recommendations on how to improve interoperabilityProvides an overview of applications per Member State concentrating on:the type of electronic signature legally requiredthe applicable technical restrictionsMakes a proposal on how to disseminate the results, e.g. through a mutual information mechanism on electronic signature requirements.Studied 127 eGovernment applications described in details in 29 country profiles (27 MS + 2 CC)

eSignatures:Analysis, identified issues (1)127 eGovernment applications processed:90 using eSignatures37 using electronic certificates as authentication meansMain sectors referenced:eTaxes: 29 applications, One-stop shop portal: 12 applicationseProcurement: 11 applicationseHealth: 4, eJustice: 3, Social Security: 3, Regulations tend to remain technology neutralAdministrations have large autonomy in choosing the right solution for their applicationsCross border interoperability is not considered to be a priorityMutual recognition: application owners presently have no way of determining which signature solution providers meet the security and reliability requirements of their applications.

eSignatures: Analysis, identified issues (2)

eSignatures:Conclusions Dissemination of available information on national practices should be improvedThere is a link and sometimes confusion between the concepts and implementation of authentication and electronic signatures The trend is toward PKI solutions, hence this is where initiatives should focusA federated validation solution is needed to permit the validation and the establishment of trust for foreign signatures. Member States opinions on EU involvement and the role of the private sector should be sought

eSignatures:List of supervised CSPs

eSignatures:Federated Validation




IDABC study on eID

IDABCeID Interoperability for PEGSBased on existing actions at the EU level (e.g. Modinis Study on ID Management in eGovernment (DG INFSO), IST projects GUIDE, FIDIS and PRIME (DG INFSO), work by the Porvoo Group, etc), a strategy for eID Interoperability shall be elaborated that includes as a minimum :a survey and comparison of the national eID legal instruments for the 27 MS + 2 CC + 3 EEA;a survey and description of the national technical solutions implemented in each of the 27 + 2 + 3 Countries for the national eID. a market assessment of the ID Management technical solutions; in particular a high-level description of the concept of federated identities and its applicability for interoperability of eIDs shall be produced;a proposal and an impact assessment of a multi-level authentication mechanism;Common specifications for interoperable eID solutions shall be drafted based on the results of the elaborated strategy for eID interoperability

eID:Identity resources27 issue identity cards (84%); 7 are currently deploying eID cards to the public; 14 more are in the process of designing eID cards for future roll-outApart from smart cards, in 12 countries out of 32 (37.5%) the use of non-card tokens was reported; predominantly soft PKI certificatesAll countries use general identifiers in some form; specific legal protection of such identifiers was reported in 20 of the 32 surveyed countries (62.5%)Formal acceptance of an authentic source principle was uncommon, being reported in only 5 countries out of 32 (16%). A further 9 countries (28%) had informally adopted the principle, with another 3 (10%) planning to do so

eID:AuthenticationA total of 14 countries out of 32 (44%) reported using public sector controlled PKI systems, with a total of 16 systems being reported. Of these 16 systems, 10 were open to private sector use (62.5%).16 countries out of 32 (50%) reported using public/private sector controlled PKI systems. 75% of countries use PKI as a key authentication strategyUsername/password systems also remain very popular. In total, 20 countries out of 32 (62.5%) have reported using login systems as a key component of their eIDM strategy, with 27 systems in total being reported. Of the reported login systems, 17 were simple username/password systems; 8 required a challenge/response system; and 2 required password calculators.

eID:Mandates/roles27 countries out of 32 (84%) have no form of mandate management, apart from the static allocation of certificates or credentials to the representatives of a specific legal entity4 countries out of 32 (12.5%) have implemented an ad hoc form of mandate management covering specific applications or service types, most typically by allowing the designation of an authorised representative in an administration specific databaseOnly Austria has created a generic system of mandate management, relying on the central source PIN Register Authority

eID:Multilevel authentication15 out of 32 countries (47%) allow some form of multilevel authentication structure to be derived; but only in 4 of these countries can a formal authentication policy be identifiedFrom a practical perspective, in most of these countries the acceptance (formal or informal) of an authentication policy has had a limited impact on the use of the applicationsThe practical impact of authentication policies has been very limited thus far

eID:Legal/policy analysisThe received responses confirmed the expectation that no specific legal framework with regard to entity authentication exists in any of the 32 surveyed countriesWhile a legal framework has often been created with regard to electronic identity cards (specifically which information they contain and what form they should take), the question of which elements legally constitute an entitys identity has not been explicitly regulated in any of the countries; nor has any of the countries implemented a generic legal framework detailing on what authentication is, and at which point authentication requirements have been met

eID:Technical/infrastructure analysisNo common specification exists for tokens and application middleware. Hardware tokens were not specified in 19 countries out of 32 (59.5%) and middleware applications were not specified in 20 countries out of 32 (62.5%)28 countries out of 32 (87.5%) are either using or planning to use some sort of certificate based identities22 countries out of 32 (68%) have implemented some level of certificate based authentications to their eGovernment services; 7 of the surveyed countries did not have any specific eGovernment applications to present23 countries out of 32 (72%) did not report a systematic preference for industrial standards; with only SAML being reported with any regularity (7 out of the 32 (22%))

More informationThe IDABC Programme: http://ec.europa.eu/idabc e-mail: [email protected]

CIP Programme: http://ec.europa.eu/cip

ICT Policy Support Programme: http://europa.eu/ict_psp

**

Documents

Egovernment John Stienen